As transmission speeds of communications networks continue to increase, the difficulty to effectively monitor and process the traffic transmitted over communications networks also increases. However, despite these high speeds, it is still desirable to monitor and/or process the traffic sent over high-speed IP communications networks.
Current IP traffic monitoring systems include full-duplex taps which copy IP traffic and send the copied packets to one or more processors for analysis while the original traffic maintains intact. However, some single processors may not be capable of processing high bandwidth IP traffic streams in real time or near real time, as is necessary for many applications. Thus, some systems split high bandwidth IP streams among a plurality of processors based on each packet's address information. This information can include a packet's source or destination IP address, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port values, or its Stream Control Transmission Protocol (SUP) information.
Current IP traffic monitoring systems rely upon each monitored packet being uniquely identifiable. In many cases, this is accomplished via each packet's IP and TCP, UDP, or SCTP address information.
Internet applications use the IP protocol suite for end-to-end communication today. In mobile access networks, the user IP traffic is encapsulated into the payload of a number of network and radio protocols while transmitted over the network and the air interface. Tunnelling is a special form of encapsulation which ensures that user traffic is routed as per internal policies in the IP access network while the original packets are kept intact. In realizations, for example in 3rd Generation Partnership Project (3GPP) based networks, the General Packet Radio Service (GPRS) Tunnelling Protocol (GTP) is used to encapsulate the user IP packet in the tunnel IP packet.
In these networks, signalling message packets are tunnelled such that each packet includes the same outer IP address and/or TCP, UDP, or SCTP port information. In case processor selection is performed on the basis of the outer IP address (and/or TCP, UDP, or SCTP port information) the same processor would be selected for each packet, which would lead to an overload or at least to an extremely high load at the selected processor. Accordingly, where tunnelling is used, the outer IP addresses and TCP, UDP, or SCTP header information are not usable to segregate traffic into multiple streams for splitting the traffic among a plurality of processors. Thus, a single network monitoring processor may be required to process all signalling message packets sent through the same tunnel. This may result in the processor being overwhelmed in current high speed networks.
Monitoring or controlling tunnelled IP traffic often requires the inspection of the payload of the tunnel IP packet, in particular the headers of the inner user IP packet. In this respect, Deep Packet Inspection (DPI) may be performed, which is the act of any packet network equipment (which is not an endpoint of a communication) using non-header content (typically the actual payload) for some purpose. This is usually performed as the packet passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide what actions to take on the packet, including collecting statistical information. This is in contrast to shallow packet inspection (usually called Stateful Packet Inspection) which just checks the header portion of a packet.
Commodity network elements such as network switches, routers or the like, are, however, limited for the inspection of Layer2/Layer3/Layer4 (Data Link Layer/Network Layer/Transport Layer) protocol parameters but not tunnel parameters.
For monitoring purpose, one approach is known from US 2008/0031141 A1 which proposes to distribute the packets among multiple processors within the monitoring device. For this purpose, the incoming packets arrive at a distributor function which selects the processor based on the header attributes of the inner user IP packet, typically based on the source and destination address. The limitation of this method is that it scales only as per the processors and memory can be put into one single node.